DriveTrust: Seagate Wants to Encrypt Your Drive

Seagate announced their move into disk security with "DriveTrust", a new hard drive feature that automatically encrypts all the data on your hard drive. Hoping to capitalize on the latest let's-keep-Americans-terrified-of-everything craze, this technology offers to render your data useless when the bad guy steals your laptop, boots it up, and sees the "Password?" prompt.

The benefits are clear: anybody who wants your data is just going to have do a little CIA-style "aggressive interviewing" on you to get it. But what might be the downsides? Let's take a tour of those.

First, DriveTrust is part of Seagate's foray into Digital Rights Management (DRM), as in "yeah, you bought the movie, but you don't have any right to play it, except in exactly the way we want you to". Will Seagate slip in a little feature that keeps you from moving that DriveTrust hard drive to a different computer and using it there? All in the name of security, of course, and if that means you have to buy an extra hard drive, well Seagate will be happy to take your money.

Second, do you trust Seagate with your data? If the National Security Agency (NSA) sidles up to Seagate and asks them to install a backdoor for them, it's safe to assume that Seagate will roll over like a whipped puppy. Of course, you also have to trust Seagate to select the encryption method, and it's possible they've selected one (128-bit AES encryption) that the NSA can already break.

OK, that last comment is extreme. 128-bit AES is widely viewed as secure. Today. But what about tomorrow? One thing we know about encryption systems is that they are always getting broken as time marches on. But Seagate is asking you to freeze your encryption choice in hardware that cannot be easily altered if 128-bit AES is broken tomorrow. When you use software encryption and the standard gets broken, you just switch to a different software package. A lot less fun to switch out all your hard drives when 128-bit AES gets broken!

While it is appealing to think of off-loading the computation required for encryption to a separate processor (the hard disk processor), consider history. Just about every past attempt to offload processor work has been destroyed by the relentless march of Intel, wielding Moore's Law like a giant co-processor-destroying sword. Over and over, they've shown that if you're making money by putting any kind of non-Intel processor inside a PC, the next generation of Intel CPU will slap you down. If Seagate makes any headway selling this DriveTrust feature, I wouldn't be surprised to see the next Intel CPU offer to do 128-bit AES even faster.

And who wants to let Seagate decide what gets encrypted and what doesn't? Do I really want to pay to have all the Windows system DLLs encrypted on the fly every time they load from disk? Software solutions let you decide what the granularity of encryption should be: individual files, folders, or the entire disk.

But come on, you say. Isn't this kind of brute-force whole-disk encryption needed to avoid the kind of debacles we see in the news where laptops full of credit card numbers, or social security data, or atomic bomb secrets keep getting stolen. Well, consider this: DriveTrust only asks for a password at powerup. So, if I steal your laptop and its DriveTrust drive while it's hibernating, DriveTrust doesn't do a darn thing. I don't know about you, but me and all the folks I know with laptops rarely turn them off: we use hibernation. That seals it for me -- I think DriveTrust is clearly more about PR and slipping DRM into your PC than it is about any serious, thoughtful effort to make your data safer.

I might talk you out of buying a DriveTrust drive, but I'm not going to talk Seagate out of shipping them. Seagate says DriveTrust encryption will first appear in their Momentus 5400 FDE.2 laptop drives next year. These are PATA and SATA drives that use perpindicular recording technology and come in 60/80/160GB sizes.

October